The aim of the policy is to provide information for the data subject, taking into consideration the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Info Act) and the provisions of Regulation 2016/679/EU of the European Parliament and the Council [GDPR], about the personal data processed by the controller defined in point 2, about the aim of data processing, its method, and about any other fact about the processing of data, especially but not limited to the rights regarding the processing of personal data, and about the possibilities for legal remedy.
Legal status of the data protection officer:
The controller shall assure that the data protection officer takes part properly and in a timely manner in any and all issue that is in connection with the protection of personal data. Resources have to be provided for keeping the data protection officer professionally well- informed regarding data protection.
The data protection officer may not accept any instruction from anyone regarding its duties. Neither the controller, nor the processor may dismiss the data protection officer, nor may they penalize him or her for performing his or her tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
The data protection officer may fulfil other tasks and duties, but any such task and duty shall not result in a conflict of interests.
Tasks of the data protection officer:
- Article VI of the Fundamental Law of Hungary;
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: “Info Act”);
- Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
The controller shall be responsible for performing the data protection impact assessment regarding the rights and freedoms of natural persons, by assessing the source, nature, specifications and gravity of the risk. When deciding what measures are suitable for substantiating that the processing of personal data is in line with the GDPR, the findings of the impact assessment shall be taken into account. The controller shall consult the National Authority for Data Protection and Freedom of Information (NAIH) prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of suitable measures in terms of the available technology and the costs of execution taken by the controller to mitigate the risk. In case it shall be necessary in the future to perform data protection impact assessment regarding high risk data processing, it shall be performed by using the open source software (original name: “PIA” software, hereinafter referred to as: impact assessment software) published by the French data protection authority (Commission Nationale de l'Informatique et des Libertés, hereinafter referred to as: CNIL), which is also recommended by NAIH.
The controller shall prepare a separate policy regarding the data protection impact assessment.
In case of data protection based on legitimate interest (GDPR Section 6 (1) f)) the weighting of interests shall be concluded based on NAIH/2015/3731/2/V állásfoglalás. According to this, the test of weighting of interests is a process consisting of several steps, during which the legitimate interest of the data processor, and as the counterpoint of weighting, the interest of the data subject, the given fundamental right have to be identified, and finally based on the weighting, it has to be established whether the personal data may be processed or not.
Steps to be applied when performing the test of weighting interests:
The controller shall prepare a separate policy regarding the test of weighting interests.
8. 1. Tasks and competence, responsibilities of the controller
The primary controller shall compensate any damage which a person may suffer as a result of processing the personal data of the data subject unlawfully, or as a result of breaching the requirements regarding technical data protection. The controller shall be held liable towards the data subject for the damage caused by the processor as well. The controller shall be exempt from liability for damages if he or she proves that the damage was caused by unavertable reasons beyond the processing of data. No compensation shall be paid where the damage was caused by intentional or severely negligent conduct on the part of the person whose rights had been violated.
8.2. Tasks and competence, responsibilities of the processor
The rights and responsibilities of the processor regarding the processing of personal data shall be laid down by the controller in line with the present policy and with the applicable legal regulations. The processor shall be liable for the processing, modification, deletion, forwarding and disclosing of the personal data within the sphere of its activities and the boundaries laid down by the controller. It has to be included in the agreement concluded with the processor that based on the provisions of the controller, the processor may use another processor according to the provisions of the controller when performing its processing activities, and that it is possible to immediately terminate the agreement if the provisions relating to data processing are breached.
The controller shall not erase the data if data processing is necessary based on one of the reasons below:
11. 1. Providing information regarding data processing
Data subjects shall have the right to obtain information about the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.
The information that is provided has to contain the following:
11.2 The lawfulness of data processing
Processing shall be lawful if the controller has at least one of the following legal bases that applies for data processing:
11.3 The scope of personal data processed by the controller, the purpose of data processing, the duration of data processing shall be found in the register of data processing activities that form Annex 1 of the present policy, which shall be disclosed by the controller on its homepage.
The register of data processing activities shall contain:
Regarding the data processing activities indicated in the data processing register, separate privacy policies have been prepared, which form Annexes 1-21 of the register.
11. 4. Duration of data processing
Data shall be stored for the shortest possible time. When establishing this time limit, the controller’s data processing purpose, as well as legal regulations applicable for the storing of data have to be taken into consideration.
11. 5. Internal transmission of data
Personal data may only be transmitted within the controller’s organization in line with the principle of purpose limitation, and right to access may only be given if there is a proper purpose.
11. 6. Data transmission for third persons
Personal data may only be transmitted to any third person based on law, or under the consent of the data subject, provided that the conditions regarding data processing are fulfilled regarding all personal data. Controller has to examine before transmitting the data whether the legal conditions are met, and that the conditions for data processing are met regarding any and all personal data following the transmission. Before transmitting data for the same controllers, regarding the same data subject, with the same purpose, the data protection officer shall be involved in the examination whether the transmission is lawful or not. No separate examinations are needed regarding transmissions subsequent to this. The data protection officer shall keep a data transmission register regarding transmissions, and shall store it in line with the regulations. The data transmission register has to be stored until the end of the fifth year following the year when the data communication or transmission was made (in special cases, for twenty years).
The register of data transmission shall contain:
11.7 Transmitting data abroad or to third countries
Before the transmission of data, the controller - together with the data protection officer - has to examine whether the legal conditions are met, and that the conditions for data processing are kept regarding any and all personal data following the transmission.
11.8 Special data, including biometric data are not processed by the data controller.
According to GDPR, personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
12.1 Reporting personal data breach
As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the competent supervisory authority (NAIH) about the personal data breach without undue delay and, where feasible, not later than 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If reporting is not performed within 72 hours, the reasons that justify the delay have to be attached as well.
12.2 Investigating and handling personal data breach
The data protection officer inspects the reporting, requests data from the person making the reporting, who shall fulfil this request within 2 working days.
The provision of data has to include:
The data protection officer shall make a suggestion regarding the necessary measure. The person responsible for the processing of data shall inform the data protection officer within two days following the performance of the given measures about the specific measures taken regarding averting personal data breach
12.3 Register of personal data breach
The controller shall keep a register on breaches of personal data. According to GDPR, the controller shall provide suitable technical and organizational measures in order to be able to explore and evaluate vulnerabilities and security breaches. Thus the controller, above documenting personal data breach, shall use suitable processes and measures to explore and handle security breaches in time.
The present policy shall enter into force on 30 November 2018. The controller is entitled to modify the policy unilaterally - provided it is not against the law. The policy is available at the registered office of the controller.
Alsópáhok, 30. November 2018
| Processing of website user’s data | |
| Scope of personal data processed | the start and end time of the visit of website user, its IP address and other recorded browsing data (cookie) |
| Purpose of processing | identification of website visitors, understanding the browsing habits, increasing the user experience |
| Legal basis for processing | the data subject’s consent /point (a) of Article 6(1) of the GDPR/ |
| Source of data | from the data subject |
| Transfer of personal data | 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) for the operation of the website 2. To Webshop Marketing Kft. (4028 Debrecen, Kassai út 129) for managing cookie settings |
| Deadline for data erasure | until the withdrawal of the data subject’s consent |
| Related document | Document number: 001 Document name: Privacy notice - cookie |
| Direct marketing (sending newsletters) | |
| Scope of personal data processed | name and e-mail address |
| Purpose of processing | marketing and remarketing purposes, promotion of the controller’s service by sending on-line newsletters |
| Legal basis for processing | the data subject’s consent /point (a) of Article 6(1) of the GDPR/ |
| Source of data | from the data subject |
| Transfer of personal data | 1. fps webügynökség kft. (3526 Miskolc, Arany J. tér 1.) for the purpose of providing newsletter sending service |
| Deadline for data erasure | until the withdrawal of the data subject’s consent |
| Related document | Document number: 002 Document name: Privacy Notice- subscription for newsletters |
| Quotation request | |
| Scope of personal data processed | name, e-mail, phone number, address, number of persons who wish to use the service, (number of children, their age) |
| Purpose of processing | contact, communication, sending personalised offers |
| Legal basis for processing | performance of the contract /point (b) of Article 6(1) of the GDPR/ |
| Source of data | from the data subject |
| Transfer of personal data | 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) on the purpose of operating on-line quotation request system |
| Deadline for data erasure | - in case of successful quotation request, according to the rule of booking, - if the offer is rejected, until the day of reject, - if no answer arrives to the offer, until the day after the offer validity expires |
| Related document | Document number: 003 Document name: Privacy Notice - quotation request |
| Direct booking | |
| Scope of personal data processed | name, e-mail, phone number, address, number of persons who wish to use the service, (number of children, their age) |
| Purpose of processing | arranging booking |
| Legal basis for processing | performance of the contract /point (b) of Article 6(1) of the GDPR/ data processing with regard to the date of birth on the basis of legislation (Articles 30 and 31 of Act C of 1990) /point (c) Article 6(1) of the GDPR/ |
| Source of data | from the data subject |
| Transfer of personal data | 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) on the purpose of operating online booking system 2. OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. Operation of the payment system needed for online payment transactions |
| Deadline for data erasure |
- the personal data acquired during the booking will be processed until the contractual relationship with the data subject exists |
| Related document | Document number: 004 Document name: Privacy Notice - booking |
| Booking through intermediaries | |
| Scope of personal data processed | name, e-mail, phone number, number of persons who wish to use the service, (number of children, their age) and in some cases, credit card information |
| Purpose of processing | arranging booking |
| Legal basis for processing | performance of the contract /point (b) of Article 6(1) of the GDPR/ data processing with regard to the date of birth on the basis of legislation (Articles 30 and 31 of Act C of 1990) /point (c) Article 6(1) of the GDPR/ |
| Source of data | from online intermediary companies, travel agencies considered as independent data controllers |
| Transfer of personal data | online booking sites and travel agencies are considered as independent data controllers; in this process, data processor will not be required |
| Deadline for data erasure |
- the personal data acquired during the booking will be processed until the contractual relationship with the data subject exists |
| Related document | Document number: 004 Document name: Privacy Notice - booking |
| Gift voucher order | |
| Scope of personal data processed |
customer’s name, e-mail address, phone number, postal address, billing address |
| Purpose of processing | provision of gift voucher service |
| Legal basis for processing | performance of the contract /point (b) of Article 6(1) of the GDPR/ |
| Source of data | the customer’s data from the data subject, the recipient’s data from the customer |
| Transfer of personal data | 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) on the purpose of operating online booking system 2. OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. Operation of the payment system needed for online payment transactions |
| Deadline for data erasure | Data that is not necessary for billing will be processed for 1 year or until the redemption of the voucher, whichever occurs earlier. |
| Related document | Document number: 005 Document name: Privacy Notice - gift voucher |
| Regulars’ Programme |
|
| Scope of personal data processed | name, number of previous hotel stays |
| Purpose of processing | providing discounts, increasing sales, building clientele |
| Legal basis for processing | the data subject’s consent /point (a) of Article 6(1) of the GDPR/ |
| Source of data | from data subject, from own records |
| Transfer of personal data | does not take place |
| Deadline for data erasure | until the withdrawal of the data subject’s consent |
| Related document |
Document number: 008 |
| Billing | |
| Scope of personal data processed | name, address, credit card information |
| Purpose of processing | providing discounts, increasing sales, building clientele |
| Legal basis for processing | Fulfillment of legal obligations laid down in Article 169 of Act C of 2000 on Accounting /point (c) of Article 6(1) of the GDPR/ |
| Source of data | from the data subject |
| Transfer of personal data | OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. For the purpose of conducting payment transaction. |
| Deadline for data erasure | under Article 169 of Act C of 2000 on Accounting, for 8 years |
| Related document | Document number: 008 Document name: Privacy Notice - check in |
| Photo shoot, video recording | |
| Scope of personal data processed | image of the guest and his child |
| Purpose of processing | promotion of the hotel through social network sites |
| Legal basis for processing | the data subject’s consent /point (a) of Article 6(1) of the GDPR/ |
| Source of data | from the assigned photographer |
| Transfer of personal data | does not take place |
| Deadline for data erasure | until the withdrawal of the data subject’s consent |
| Related document | Document number: 016 Document name: Privacy Notice - photo and video |
| Kolping Hotel**** Spa & Family Resort | Tel.: +36 83 344 143 | sales@kolping.hotel.hu |